Cyclades AlterPath Manager Information Disclosure
Posted by sullo | 10/09/2007
| Tagged:
Advisory listed 1.2.0 as vulnerable, which was incorrect. This was fixed as of APM version 1.2.0.
Product:
AlterPath Manager (APM) Console Server
Released:
01/23/2005
Description:
AlterPath Manager (APM) reveals sensitive system information without authentication.
Systems Affected:
AlterPath Manager 1.1.0 and below
Technical Description:
The APM reveals sensitive information, including:
- Boot Version
- Kernel Version
- Config Version
- OS Version
- AP Version
- Hardware information
This information is available through the web interface via the /about.html page.
Fix/Workaround:
This issue was corrected in APM release 1.2.0. For older versions, it may be possible to disable the web interface and connect to consoles via SSH only.
Vendor Status:
- Cyclades was notified on 12/13/2004 and confirmed receipt on 12/14/2004.
- Cyclades responded to an inquiry on 1/20/2005 to confirm version 1.2.5 would address this issue.
- Cyclades responded to an inquiry on 2/15/2005 to state they still did not have a release date, but did not respond with more information.
- Released on 2/23/2005.
- Cyclades responded on 2/25/2005 to clear up version information.
Contacts:
sullo@cirt.net
References:
Updated information can be found on OSVDB.org under the following entries:
| OSVDB-14073 | Cyclades AlterPath Manager Information Disclosure |
Updates: